CVE-2024-40925

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix request.queuelist usage in flush<br /> <br /> Friedrich Weber reported a kernel crash problem and bisected to commit<br /> 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine").<br /> <br /> The root cause is that we use "list_move_tail(&amp;rq-&gt;queuelist, pending)"<br /> in the PREFLUSH/POSTFLUSH sequences. But rq-&gt;queuelist.next == xxx since<br /> it&amp;#39;s popped out from plug-&gt;cached_rq in __blk_mq_alloc_requests_batch().<br /> We don&amp;#39;t initialize its queuelist just for this first request, although<br /> the queuelist of all later popped requests will be initialized.<br /> <br /> Fix it by changing to use "list_add_tail(&amp;rq-&gt;queuelist, pending)" so<br /> rq-&gt;queuelist doesn&amp;#39;t need to be initialized. It should be ok since rq<br /> can&amp;#39;t be on any list when PREFLUSH or POSTFLUSH, has no move actually.<br /> <br /> Please note the commit 81ada09cc25e ("blk-flush: reuse rq queuelist in<br /> flush state machine") also has another requirement that no drivers would<br /> touch rq-&gt;queuelist after blk_mq_end_request() since we will reuse it to<br /> add rq to the post-flush pending list in POSTFLUSH. If this is not true,<br /> we will have to revert that commit IMHO.<br /> <br /> This updated version adds "list_del_init(&amp;rq-&gt;queuelist)" in flush rq<br /> callback since the dm layer may submit request of a weird invalid format<br /> (REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add<br /> if without this "list_del_init(&amp;rq-&gt;queuelist)". The weird invalid format<br /> problem should be fixed in dm layer.